Congress can not be trusted to develop any effective legislation about things they don't understand. Every time they try, the best that can be hoped for is something ineffective.

That said, I am glad to see at least some minimum standard being set on things that should never happen, like hard coded passwords. Still, what I'd really like to see is legislation that makes it a crime to fail to secure something according to basic published security standards. When you put that Windows RDP server on the Internet, you are creating a hazard that will likely be used to harm others. We punish negligent drivers. Why not negligent sysadmins?

Congress can not be trusted to develop any effective legislation about things they don't understand. Every time they try, the best that can be hoped for is something ineffective.

That said, I am glad to see at least some minimum standard being set on things that should never happen, like hard coded passwords. Still, what I'd really like to see is legislation that makes it a crime to fail to secure something according to basic published security standards. When you put that Windows RDP server on the Internet, you are creating a hazard that will likely be used to harm others. We punish negligent drivers. Why not negligent sysadmins?

Right, there's a bare minimum to meet. But the flexibility and the Government-only factor of this act would make it quite ineffective as a mandatory standard. That said, security doesn't need to be a discussion but a strict requirement. We're talking about hyper-connected networks interacting with each other, there's more to that than basic security requirements.